They're baaaaaack... Ed Skoudis and I felt strongly that although we haven't had a Skillz Challenge in quite some time, that it would be a shame if we didn't continue the annual tradition of an Ed Skoudis penned Xmas Challenge. If this one goes well, we'll pick it up again and have many more challenges in 2011. So be sure to help spread the word.

Happy Holidays, challenge fans! Ed Skoudis here, with this year’s holiday hacking challenge. Have you ever seen the classic video A Charlie Brown Christmas, and pondered why Charlie Brown is so upset at the start of the video? Also, have you ever wondered why the rest of the Peanuts gang is so focused on the materialism of the Christmas season? Well, this year’s hacking challenge answers these questions. In our tale, you’ll discover that something happened before the start of the Charlie Brown Christmas video that put these characters into such a state. That something is what we like to call…

The Nightmare Before CharlieBrown’s Christmas

These challenges, which are an annual tradition here at EthicalHacker.net, are designed to help people develop their skills, show off their abilities, and have some fun. During past holiday seasons, you got to tangle with the Grinch, Rudolph, that Messy Marvin kid, Frosty, and even Santa himself. And who can forget last year's Miracle on Thirty-Hack Street. Read this challenge, answer the questions, and send your responses in by January 3, 2011 to skillz1210 (at) ethicalhacker.net. We’ll choose three winners, each of whom will get an autographed copy of my Counter Hack Reloaded book. One prize will go to the best technical answer, another to the most creative answer that is technically correct, and the final prize is based on a random draw from every person who submits an answer. Even if you have no idea whatsoever for how to answer the questions, send in your best shot to be entered in the random draw. And now, without further adieu, the curtain rises on our story…

I sadly did it this morning. Didn't get too technical, figured I'd give it a shot while on a conference call (imagine that!). I don't want to disclose much but I will say this to those analyzing VoIP or thinking about VoIP security as a whole...

VoIP is no different than any other protocol (SMTP, HTTP, HTTPS). It is subject to the same attacks, same threats. Forget about the "call" and think about the connection between two devices as you would think about say an SMTP connection. What could occur there? How could it occur? What do I need to look for?

Anyway, I didn't want to get too detailed into the contest because I do this for a living however, I'd like to wait until its over and offer a video demonstration of what I did to analyze, so I will wait until all is said and done, get perms from Don, and present it after the winner is announced.

/ Edited for now to protect the innocent

Last edited by sil on Thu Dec 09, 2010 11:22 am, edited 1 time in total.

No apologies needed hayabusa, in fact I apologized to Don and now to others as I may have made things easier. I'm hoping once its over, I can make a walkthrough on the steps I took, tools I used, etc., I think some may find use in it

Actually, I found Sil's post useful. I've been looking forward to this all year, but I know I don't have the time time to play with it.

I was going to ask about creating a side channel for those of us that want to use it to gain skills, but are willing to publicly and privately bow out of the contest in exchange of creating it. IRC or mailing list.

I have way way too much on my plate right now. Trying to LEARN, NOT DUMP to pass the Security+ by the end of the year. I've already put some of the things I've learned into practice at work. (Improvement of my monitoring tools, and the such). I have a lot of things to do by the end of the year, and not sure I'll get it all done, but going to try.

So somewhere to do a group crack on this challenge and learn some things along the way would be great.

Looking forward to a writeup.

Last edited by rattis on Fri Dec 10, 2010 10:54 am, edited 1 time in total.

They'll be plenty of time for open discussion of everything related to the challenge after the answers & winners are announced in mid Jan. Also keep in mind, that Ed usually does a very thorough job of explaining the answers along with the thoughts behind the challenges. He also explains why participants were chosen as winners or given honorable mention.

This is my first challenge I have participated in. I really enjoyed applying a great deal of my knowledge I acquired by studying for my Network+ and Security+ certs this year. I also learned more about tools I have poked around with in the past.

i'm following here my first challenge and i haven't any knowledge on VoIP. Would you recommend me more to start with past challenges on domains i can face all days or this challenge can be solved without prior knowledge on VoiIP ?Thanks a lot.